Privacy policies outline a business’ practice on the collection, storage and use of personal data. The standard document is intended for use on a website which collects:
- Basic, non-sensitive personal data (such as name, contact and credit card details) for the purpose of supplying goods or services to users of the site, or for contacting users with direct marketing information.
- Information about users’ online behaviour, like IP addresses and web log data.
It is designed for use in conjunction with the Standard document, Terms of website use (UK) (www.practicallaw.com/5-201-7195), the Standard document, Website terms and conditions of supply (www.practicallaw.com/2-201-7012) and the Standard document, Acceptable use policy (www.practicallaw.com/9-201-6274).
The document does not cater for a situation in which sensitive personal data is collected (such as data relating to racial or ethnic origin, political opinions and religious beliefs), for which “explicit consent” is required (section 2 and Schedule 3, DPA).
For more information, see Practice note, Overview of UK data protection regime: Sensitive personal data: additional rules (www.practicallaw.com/7-107-4765).
The collection and use of personal data by e-businesses in the UK must comply with UK data protection laws. These laws are primarily contained in the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (2003 Regulations) as revised by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) (2011 Regulations).
For a discussion of this legislation generally, please refer to the Practice note, Overview of UK data protection regime (www.practicallaw.com/7-107-4765); for a discussion of the specific data protection issues which website owners need to consider, see Practice note, Data protection and the internet (www.practicallaw.com/9-107-4774).
The DPA applies to data controllers who are:
- Established in the UK (section 5(1)(a)).
- Not established in the UK but where the data controller makes use of equipment situated within the UK, except where this equipment is used only for the purposes of mere transit through the UK (section 5(1)(b)).
For questions to be considered when trying to determine which national data protection law(s) adopted pursuant to the Data Protection Directive (1995/46/EC) may be applicable to the processing of personal data, see Checklist, which national data protection law(s) apply to the processing of personal data (www.practicallaw.com/1-504-9029).
Website operators may have establishments which hold data in a number of countries. If so, they will need to ensure that they comply with the data protection laws in each of those jurisdictions. The standard document ensures compliance with the DPA. This policy may meet the legal requirements in other EU member states. However, since the Data Protection Directive has not been implemented in precisely the same way in each EU member state – in some states, the obligations on the data controller are more onerous than those imposed under the DPA – consideration must be given to the laws of each state in which the site is or is likely to be accessed.
HOW TO USE THIS STANDARD DOCUMENT
Privacy policies are ultimately designed to allow website operators to comply with their fair processing obligation and to obtain the users’ consent to that processing. Users cannot be said to have granted “freely given, specific and informed” consent to processing unless they have been given the opportunity to read the terms on which their data is to be collected, stored, used and shared before they submit the relevant personal data.
The Information Commissioner’s Office advocates a layered notice as the most effective at making individuals aware of how website operators will use their information. This usually consists of two linked notices, one short and one longer.
To comply with best practice, data controllers are therefore encouraged to:
The Monarch Partnership (“We”) are committed to protecting and respecting your privacy.
This policy (together with any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.monarchpartnership.co.uk you are accepting and consenting to the practices described in this policy.
Information about the data controller
- The full name of the data controller must be provided (paragraph 2(3)(a), Part 2, Schedule 1, DPA). This can conveniently be set out at the beginning of the policy.
- The DPA does not require data controllers to appoint a nominated representative for the purposes of the DPA. However, where such a representative is appointed, details must be given to the data subject.
For the purpose of the Data Protection Act 1998 (the Act), the data controller is The Monarch Partnership of
7-9 Stafford Road
- Basic biographical data provided by the user (for example, the user’s name, address, e-mail address, telephone number, and information provided via the site’s interactive and social media functions).
- Information about the user’s visit to the site that is automatically collected by the site (for example, technical information about the user’s browser type and settings and his IP address, pages visited or products viewed, the length of time on each page, page interaction information).
- Information received from other sources including other websites or online services controlled by the data controller and third parties (for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies).
A question arises as to whether an Internet Protocol (IP) address can constitute personal data. An IP address is a 4 to 12-digit number (such as 184.108.40.206) that identifies a specific computer connected to the internet, and which can usually be converted into a more memorable ‘real’ text address known as a domain name (such as www.practicallaw.com). Various internet server computers located around the internet have a database conversion table that automatically converts a domain name into the numeric address of the relevant host site and vice versa. There are also “who is” services offered by sites which, upon the user providing a domain name or IP address, offer information about the owner of that name or address. The Information Commissioner’s view is that an IP address may fall within the definition of personal data under the DPA where it can be linked to an individual user perhaps through other information held or from information that is publicly available on the internet. This issue is not specifically addressed in the DPA.
In many cases, website operators will be permitted to process IP address under the legitimate interest condition set out in paragraph 6(1) of Schedule 2 to the DPA. However, the website operator’s interest must be balanced against the legitimate interest of the user in his privacy. Website operators should therefore exercise caution and process IP addresses only when necessary.
For more information about the nature of IP addresses under data protection laws, see for example, “Data Protection: Protecting personal data in online services” at http://ico.org.uk/media/for-organisations/documents/1042221/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf
And “Practice note, Data protection and the internet: General application of Data Protection Act 1998: Meaning of personal data and processing: IP addresses” (www.practicallaw.com/9-107-4774).
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:
The information you give us. You may give us information about you by filling in forms on our site www.monarchpartnership.co.uk (our site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to our service, and when you report a problem with our site. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph.
Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:
- Your client account details and relevant organizational information in the Client Area
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
- Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site.
Cookies are small data files which most website operators place on the browser or hard drive of their user’s computer. Cookies may gather information about the user’s use of the website or enable the website to recognise the user as an existing customer when he returns to the website at a later date. More recently, cookies have also been used to collect information about the user, which allows the website operator or a third party to create a profile of the user, his preferences and his interests for the purpose of serving the user with targeted, interest-based advertising.
- Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
- Has given his or her consent.
(Regulation 6(1) and (2), revised 2003 Regulations.)
For more information about the purpose limitation principle, visit https://ico.org.uk/for-organisations/guide-to-data-protection/principle-2-purposes/
USES MADE OF THE INFORMATION
We use information held about you in the following ways:
The information you give to us. We will use this information to:
- Carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- Provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- To provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. to notify you about changes to our service;
- Ensure that content from our site is presented in the most effective manner for you and for your computer.
Information we collect about you. We will use this information to:
- Administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- Improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- Allow you to participate in interactive features of our service, when you choose to do so;
As part of our efforts to keep our site safe and secure.
Sharing personal data
Information should be provided as to whether the data will be accessed by, disclosed or sold to, third parties, and for what purposes (such as for credit card clearance, credit reference, order fulfilment, delivery, data analysis or customer support) (paragraph 2(3)(d), Part 2, Schedule 1, DPA). Some website owners sell customer lists, for example to advertisers (see Practice note, Overview of UK data protection regime: Third party data (www.practicallaw.com/7-107-4765)). It is particularly critical for the data controller to have the right to transfer data on a sale of the business.
DISCLOSURE OF YOUR INFORMATION
We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
Export of personal data to third countries and security
WHERE WE STORE YOUR PERSONAL DATA
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Consent to direct marketing
There is nothing in the DPA or the revised 2003 Regulations that prevents consents from being withdrawn at any time. However, except in the case of direct marketing by electronic means, there is no legal requirement to include a provision reminding users that they may at any time object to processing for the particular purposes to which they consented. Including such a provision may help to promote confidence in the site, although some website owners may prefer not to bring the right to withdraw consents to the attention of visitors to the site.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Subject access requests
Pursuant to section 7 of the DPA, an individual can make a written request:
- To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller; and
- Where that is the case, to be given by the data controller a description of the personal data, the purposes for which they are processed and the recipients to whom they may be disclosed (“subject access request”).
For more information on subject access requests, see Practice note, Overview of UK data protection regime: Rights of individuals: Right of access (www.practicallaw.com/7-107-4765).
ACCESS TO INFORMATION
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.
Changes to the policy
The policy must contain contact details to enable users to withdraw their consents, where the law permits them to object to certain types of processing. In particular, the Information Commissioner has stated that the geographical address of the website operator should be given.
Website acceptable use policy
This acceptable use policy sets out the terms between you and us under which you may access our website www.monarchpartnership.co.uk (our site). This acceptable use policy applies to all users of, and visitors to, our site.
Your use of our site means that you accept, and agree to abide by, all the policies in this acceptable use policy.
www.monarchpartnership.co.uk is a website operated by The Monarch Partnership (we or us). We are a limited company registered in England under company number 4346309 and have our registered office at
7-9 Stafford Road
Our VAT number is 793 6132 10
You may use our site only for lawful purposes. You may not use our site:
- In any way that breaches any applicable local, national or international law or regulation.
- In any way that is unlawful or fraudulent or has any unlawful or fraudulent purpose or effect.
- For the purpose of harming or attempting to harm minors in any way.
- To send, knowingly receive, upload, download, use or re-use any material which does not comply with our content standards.
- To transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam).
- To knowingly transmit any data, send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.
You also agree:
- Not to reproduce, duplicate copy or re-sell any part of our site in contravention of the provisions of our terms of website use.
- Not to access without authority, interfere with, damage or disrupt:
- Any part of our site;
- Any equipment or network on which our site is stored;
- Any software used in the provision of our site; or
- Any equipment or network or software owned or used by any third party.
Where we provide any interactive service, we will provide clear information to you about the kind of service offered, if it is moderated and what form of moderation is used (including whether it is human or technical).
We will do our best to assess any possible risks for users (and in particular, for children) from third parties when they use any interactive service provided on our site, and we will decide in each case whether it is appropriate to use moderation of the relevant service (including what kind of moderation to use) in the light of those risks. However, we are under no obligation to oversee, monitor or moderate any interactive service we provide on our site, and we expressly exclude our liability for any loss or damage arising from the use of any interactive service by a user in contravention of our content standards, whether the service is moderated or not.
The use of any of our interactive services by a minor is subject to the consent of their parent or guardian. We advise parents who permit their children to use an interactive service that it is important that they communicate with their children about their safety online, as moderation is not foolproof. Minors who are using any interactive service should be made aware of the potential risks to them.
Where we do moderate an interactive service, we will normally provide you with a means of contacting the moderator, should a concern or difficulty arise.
These content standards apply to any and all material which you contribute to our site (contributions), and to any interactive services associated with it.
You must comply with the spirit of the following standards as well as the letter. The standards apply to each part of any contribution as well as to its whole. Contributions must:
- Be accurate (where they state facts).
- Be genuinely held (where they state opinions).
- Comply with applicable law in the UK and in any country from which they are posted.
Contributions must not:
- Contain any material which is defamatory of any person.
- Contain any material which is obscene, offensive, hateful or inflammatory.
- Promote sexually explicit material.
- Promote violence.
- Promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age.
- Infringe any copyright, database right or trade mark of any other person.
- Be likely to deceive any person.
- Be made in breach of any legal duty owed to a third party, such as a contractual duty or a duty of confidence.
- Promote any illegal activity.
- Be threatening, abuse or invade another’s privacy, or cause annoyance, inconvenience or needless anxiety.
- Be likely to harass, upset, embarrass alarm or annoy any other person.
- Be used to impersonate any person, or to misrepresent your identity or affiliation with any person.
- Give the impression that they emanate from us, if this is not the case.
- Advocate, promote or assist any unlawful act such as (by way of example only) copyright infringement or computer misuse.
SUSPENSION AND TERMINATION
We will determine, in our discretion, whether there has been a breach of this acceptable use policy through your use of our site. When a breach of this policy has occurred, we may take such action as we deem appropriate.
- Immediate, temporary or permanent withdrawal of your right to use our site.
- Immediate, temporary or permanent removal of any posting or material uploaded by you to our site.
- Issue of a warning to you.
Legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach.
Further legal action against you
Disclosure of such information to law enforcement authorities as we reasonably feel is necessary.
We exclude liability for actions taken in response to breaches of this acceptable use policy. The responses described in this policy are not limited, and we may take any other action we reasonably deem appropriate.